[Envolution-devel] [VulnWatch] Postnuke v 0.723 SQL injection and directory traversing

[<Chr...@t-...>]

Please have a look at 
:http://www.securitytracker.com/alerts/2003/Mar/1006256.html

Several vulnerabilities were reported in PostNuke. A remote user can 
inject SQL commands to be executed by the underlying database server. A 
remote user can also execute any PHP code located on the server.

 SCAN Associates reported that there is an input validation flaw in the 
Members_List module in the $sortby variable. A remote user can inject 
SQL commands to be executed in that variable. A demonstration exploit 
URL is provided:
 
http://[target]/modules.php?op=modload&name=Members_List&file=index& 
letter=[username]&sortby=[sqlquery]
 
It is also reported that a remote user can supply a specially crafted 
file name composed of directory traversal characters ('../') to the 
$theme variable to include arbitrary files located on the target server. 
A remote user can cause any file on the target server that is readable 
by the web server to be included and, if it contains PHP code, to be 
executed by the target server. The executed PHP code will run with the 
privileges of the web server. A demonstration exploit URL is provided:
 
http://[target]/index.php?theme=../../../../../../../../tmp



 Impact:  A remote user can inject SQL commands to be executed by the 
underlying SQL database. A remote user can execute arbitrary PHP code, 
including operating system commands, on the target server with the 
privileges of the target web server.



 Solution:  The vendor has released a security fix for version 0.723, 
available as described below.